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Amendments to the Claims : 

This following listing of claims will replace all prior versions and listings of claims in the 
application. 

1. (original) A method facilitating classification of data flows, comprising 

monitoring a data flow associated with a host relative to at least one behavioral 
attribute; 

comparing the at least one behavioral attribute observed in the monitoring step to a 
knowledgebase of at least one known application behavior pattern; and 
classifying the data flow based bn the comparing step. 

2. (original) The method of claim 1 wherein the at?Ieas;t one behavioral attribute is packet size. 

3. (original) The method of claim I wherein the at least one behavioral attribute is packet size 
of the first packet in the data flow. 

4. (original) The method of claim 1 wherein the at least one behavioral attribute is packet size 
of the second packet in the data flow. 

5. (original) The method of claim 1 wherein the at least one behavioral attribute is packet size 
of plurality of packets in the data flow. 

. ■ •• r • 

6. (original) The method of claim 1 wherein the at least one behavioral attribute is the 
information density associated with at least one packet in the data flow. 

7. (original) The method of claim 1 wherein the at least one behavioral attribute is the 
information density associated with the first packet in the data flow. 
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8. (original) The method of claim 1 wherein the at least one behavioral attribute is the timing of 
the data flow relative to at least one similar data flow associated with the host. 

9. (original) The method of claim 1 wherein the at least one behavioral attribute is the number 
of related data flows associated \vith the host. 

10. (original) The method of claim 1 wherein the at least one behavioral attribute is the timing 
between at least two packets in the data flow. 

11. (original) The method of claim 1 wherein the at least one behavioral attribute is a sequence 
of protocol flags contained in packets of the data flow. 

12. (original) The method of claim 1 wherein the at least one behavioral attribute is timing of 
protocol flags contained in packets of the data flow. 

13. (original) The method of claim 1 wherein the at least one behavioral attribute is the timing 
and sequence protocol flags contained in packets of the data flow. 

14. (original) The method of claim 1 wherein the application behavior pattern comprises at least 
one instance of any one of the following a packet size pattern, a threshold information density 
value, a threshold inter-flow timing value, or a threshold number of related application data 
flows. 

15. (original) The method of claim I wherein the application behavior pattern characterizes the 
first group of packets of a data flow associated with a traffic class. 

16. (original) The method of claim 14 wherein the application behavior pattern characterizes 
the first group of packets of a data flow associated with a traffic class, and wherein the first 
group of packets are characterized in relation to at least one instance of any one of the following: 
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a packet size pattern, a threshold information density value, a threshold inter-flow timing value, 
or a threshold number of related application data flows. 

17. (currently amended) A method facilitating classification of data flows, comprising 

modeling behavior of a network application to generate an application behavior 
pattern; and \ 

configuring a network traffic monitoring device to classify data flows against the 
application behavior pattern; 

wherein the application behavior pattern comprises at least one instance of any one of the 
following: a packet size pattern, a threshold information density value, a threshold inter-flow 
timing value, or a threshold number of related application data flows. 

18. (original) The method:of daim;:17 whereSkth€.,appiicat4OT Bi^vior;pattern .comprises -at., 
least one instance of any pne of the fol lowing: a packet size pattern, a threshold information 
density value, a threshold inter-flow timing value, or a threshold number of related application 
data flows, an inter- packet timing value, a sequence of protocol flags, an inter-packet protocol 
flag timing value. 

19. (currently amended) The method of claim 18 wherein the protocol flags are Transport 
Control Protocol (TCP) ¥ GP protocol flags. 

20. (original) A method facilitating classification of data flows, comprising 

monitoring the data flows associated with a host relative to at least one application 
behavior model corresponding to a traffic class; 

matching at least one of the data flows associated with the host to a traffic class, if a 
threshold number of the data flows match a corresponding application behavior model. 

21. (currently amended) An apparatus comprising 

a packet processor operative to 
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detect data flows in network traffic traversing a communications path, the data 
flows each comprising at least one packet; 

parse at least one packet associated with a data flow into a flow specification, 
a traffic classification engine operative to 

match the data flow to a plurality of traffic classes, wherein at least one of the 
plurality of traffic classes is defined by one or more matching attributes, wherein said matching 
attributes are explicitly presented in the packets associated with the data flows, and wherein at 
least one other o f the traffic classes is_defined by one or more application behavior patterns^ 
wherein the application behavior patterns each comprise at least one instance of any one of the 
following: a packet size pattern, a threshold information density value, a threshold inter-flow 
timing value, or a threshold number of related application dataflows, an inter-packet timing 
value, a sequence of protocol flags, or an inter-packet protocol flag timing value; 

having fou nd a matching traffic class in the matching step, associate the flow 
specification corresponding to the data flow with a traffic class from the plurality of traffic 
classes; 

22. (canceled) 

23. (currently amended) The apparatus of claim 21 wherein said flow specification contains at 
least one instance of any one of the following; a protocol family designation, a direction of 
packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to 
a multipurpose internet mail extensions (MIME) M iMg type, and a pointer to an application- 
specific attribute. 

24. (currently amended) The apparatus of claim [[22]] 21 wherein said flow specification 
contains, and wherein the one or more matching attributes include, at least one instance of any 
one of the following: a protocol family designation, a direction of packet flow designation, a 
protocol type designation, a pair of hosts, a pair of ports, a pointer to a multipurpose internet 
mail extensions (MlME)M lMfe type, and a pointer to an application-specific attribute. 
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25. (original) The apparatus of claim 21 further comprising 

a flow control module operative to apply bandwidth utilization controls to the data 
flows based on the traffic class associated with the data flows. 

26. (original) A method facilitating classification of data flows, comprising 

detecting a data flow in network traffic traversing a communications path, the data 
flows each comprising at least one packet; 

parsing explicit attributes at least one packet associated with the data flow into a flow 
specification, 

matching the flow specification to a first plurality of traffic classes, wherein the first 
plurality of traffic classes; are each defined by one or more matcHingattribu tes; 

havingfound a matching traffic class in the matdto 
specification corresponding to the data flow with a traffic class from the first plurality of traffic 
classes, 

not having found a matching traffic class in the first plurality of traffic classes, matching 
the data flow to at least one additional traffic class, the additional traffic class defined by an 
application behavior pattern, the application behavior pattern comprising comprises at least one 
instance of: a packet size pattern, a threshold information density value, a threshold inter-flow 
timing value, or a threshold number of related application data flows. 

27. (currently amended) The method of claim 26 wherein the flow specification contains at 
least one instance of any one of the following: a protocol family designation, a direction of 
packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to 
a multipurpose internet mail extensions (MI ME) M tMfe type, and a pointer to an application- 
specific attribute. 

28. (currently amended) The method of claim 26 wherein said flow specification contains, and 
wherein the one or more matching attributes include, at least one instance of any one of the 
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following: a protocol family designation, a direction of packet flow designation, a protocol type 
designation, a pair of hosts, a pair of ports, a pointer to a multipurpose internet mail extensions 
(MIME) MIME type, and a pointer to an application-specific attribute. 

29. (currently amended) A method facilitating the classification of network traffic, comprising 

detecting a data flow in network traffic traversing a communication^ path, the data flow 
comprisi ng at least one packet; 

applying a mathematical function to at least one packet in the data flow to derive a 
computed value that characterizes entropy of information contained in the at least one packet ; 

comparing the computed value to at lease one traffic class, said traffic class defined, at 
least in part, by a required computed value. 

30. (original) The method of claim 29 wherein the required computed value is determined by 
applying the mathematical function to data flows known to be of the traffic class. 

31. (original) The method of claim 29 wherein the mathematical function computes a value 
indicating the information density of at least one packet. 

32. (original) The method of claim 29 wherein the required computed value is a range of values. 

33. (currently amended) A method facilitating the classification of network traffic, comprising 

detecting a data flow in network traffic traversing a communications path, the data flow 
comprisi ng at least one packet containing a first checksum ; 

applying a mathematical function to at least one packet in the data flow to derive a 
second c hecksum; 

comparing the computed second c hecksum to the first checksum value contained in the 
at least one packet; 

matching the data flow to a traffic class, wherein the traffic class is defined at least in 
part by whether the computed second checksum should match the first c hecksum vakae in the 
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at least one packet. 



